First published: 28th February 2009
Microsoft has issued Security Advisory 967940 on a new update that fixes a flaw in how AutoRun is switched off in Windows. The flaw was published in March 2008. Microsoft is, confusingly, claiming that this is not a security update, saying, "we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."
According to the the original vulnerability note, the autorun feature is supposed to be disabled when the NoDriveTypeAutoRun registry value is set to 0xFF, however the operating system enables some AutoPlay features that may not have been enabled prior to setting that registry value. For example, a program specified in autorun.ini may be executed when a device icon is clicked.
The autorun feature has been criticised by security commentators since it was introduced with Windows 95, as it makes it difficult to avoid executing programs from untrusted media. The "feature" was exploited by Sony to install unauthorised software in 2005 and, more recently, used by Conficker as one of several vectors to spread.